The Data Privacy Act of 2012 (Republic Act No. 10173) protects your personal information and gives you rights over how it is collected and used, including the rights to be informed, to access, to object, to correct, and to have data erased or blocked. Complaints are filed with the National Privacy Commission, usually after first raising the issue with the company or organization that holds your data.
From online lending apps that harvest a borrower’s contacts to companies that suffer data breaches, misuse of personal information is a growing problem. The Data Privacy Act of 2012 gives Filipinos enforceable rights over their data and a body to enforce them. This commentary explains what the law protects, your rights as a data subject, and how to complain to the National Privacy Commission.
What the Data Privacy Act Protects
Republic Act No. 10173 protects personal information in both the government and private sectors and created the National Privacy Commission (NPC) to enforce it. Any entity that processes personal data — a personal information controller — must have a lawful basis for doing so, usually the consent of the data subject, and must observe the principles of transparency, legitimate purpose, and proportionality. Data may be collected only for a declared purpose and only to the extent necessary.
Your Rights as a Data Subject
The law gives every data subject a set of rights, including:
- Right to be informed that your personal data is being collected and processed, and why;
- Right to access the personal data an organization holds about you;
- Right to object to processing, including for direct marketing;
- Right to rectification — to correct inaccurate or erroneous data;
- Right to erasure or blocking — to have data removed or blocked when it is incomplete, outdated, false, unlawfully obtained, or no longer necessary;
- Right to damages for violations, and the right to data portability and to file a complaint with the NPC.
Duties of Companies That Hold Your Data
Organizations are not free to do as they please with your information. They must secure personal data with organizational, physical, and technical measures, use it only for the declared purpose, and, under NPC rules, notify the NPC and affected individuals of serious data breaches. Many are required to appoint a Data Protection Officer and to register their data processing systems. Failing these duties can lead to NPC enforcement action.
How to Complain to the National Privacy Commission
Enforcing your rights follows a general path:
- Raise the matter first with the personal information controller — the company or agency holding your data — and give it a chance to respond. The NPC generally expects this step before a formal complaint, unless an exception applies.
- If unresolved, file a verified complaint-affidavit with the NPC, attaching your evidence, within the period allowed by its rules.
- The NPC evaluates the complaint, may refer the parties to mediation, and can proceed to investigation and adjudication. Full resolution commonly takes several months.
The NPC can order a personal information controller to comply, issue cease-and-desist orders, and recommend criminal prosecution.
Penalties for Violations
The Data Privacy Act carries real teeth. It imposes imprisonment and substantial fines for offenses such as unauthorized processing, accessing personal data due to negligence, improper disposal, and malicious disclosure. Penalties are heavier when sensitive personal information — such as health, financial, or government-issued identifiers — is involved.
Frequently Asked Questions
What rights do I have under the Data Privacy Act? You have the right to be informed about the processing of your data, to access it, to object, to correct inaccuracies, to have data erased or blocked in proper cases, to data portability, and to be indemnified for damages. You also have the right to file a complaint with the National Privacy Commission.
How do I file a complaint with the National Privacy Commission? You generally must first raise the matter with the company or organization holding your data and give it a chance to act. If it is unresolved, you file a verified complaint-affidavit with the NPC, with supporting evidence. The NPC then evaluates, may mediate, and can investigate and decide the case.
Can online lending apps access my contacts and photos? Only with a lawful basis and for a declared, legitimate purpose. Harvesting a borrower's contacts to shame them is a common violation of the Data Privacy Act, and the National Privacy Commission has acted against such practices.
What are the penalties for violating the Data Privacy Act? The law imposes imprisonment and substantial fines for offenses such as unauthorized processing, negligent access, improper disposal, and malicious disclosure of personal information, with heavier penalties when sensitive personal information is involved.
This commentary is for general informational purposes only and does not constitute legal advice. For guidance specific to your situation, please consult a licensed attorney.
If your personal data has been misused and you want to assert your rights or file a complaint with the NPC, our firm is available to assist. You may reach us via Viber or WhatsApp, call us at 0995 433 5550, or send an email to vivasnobles@gmail.com. We look forward to hearing from you.